diff options
Diffstat (limited to 'base/ra/lib/perl/PKI/RA/CAInfoPanel.pm')
-rwxr-xr-x | base/ra/lib/perl/PKI/RA/CAInfoPanel.pm | 289 |
1 files changed, 289 insertions, 0 deletions
diff --git a/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm new file mode 100755 index 000000000..4cc65e5cf --- /dev/null +++ b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm @@ -0,0 +1,289 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# +# + +use strict; +use warnings; +use PKI::RA::GlobalVar; +use PKI::RA::Common; +use URI::URL; + +package PKI::RA::CAInfoPanel; +$PKI::RA::CAInfoPanel::VERSION = '1.00'; + +use PKI::RA::BasePanel; +our @ISA = qw(PKI::RA::BasePanel); + +our $cert_header="-----BEGIN CERTIFICATE-----"; +our $cert_footer="-----END CERTIFICATE-----"; + +sub new { + my $class = shift; + my $self = {}; + + $self->{"isSubPanel"} = \&is_sub_panel; + $self->{"hasSubPanel"} = \&has_sub_panel; + $self->{"isPanelDone"} = \&PKI::RA::Common::no; + $self->{"getPanelNo"} = &PKI::RA::Common::r(4); + $self->{"getName"} = &PKI::RA::Common::r("CA Information"); + $self->{"vmfile"} = "cainfopanel.vm"; + $self->{"update"} = \&update; + $self->{"panelvars"} = \&display; + bless $self,$class; + return $self; +} + +sub is_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub has_sub_panel +{ + my ($q) = @_; + return 0; +} + +sub validate +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: validate"); + return 1; +} + +sub update +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: update"); + + my $count = $q->param('urls'); + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - got urls = $count"); + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - selected ca= $count"); + + my $instanceID = $::config->get("service.instanceID"); + my $host = ""; + my $https_ee_port = ""; + my $https_agent_port = ""; + my $https_admin_port = ""; + my $domain_xml = ""; + + if ($count =~ /http/) { + my $info = new URI::URL($count); + $host = $info->host; + $https_ee_port = $info->port; + $domain_xml = get_domain_xml($host, $https_ee_port); + if ($domain_xml eq "") { + $::symbol{errorString} = "missing security domain. CA must be installed prior to RA installation"; + return 0; + } + + $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $host, $https_ee_port); + $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $host, $https_ee_port); + + if(($https_admin_port eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "missing secure CA admin or agent port. CA must be installed prior to RA installation"; + return 0; + } + } else { + $host = $::config->get("preop.securitydomain.ca$count.host"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + $https_agent_port = $::config->get("preop.securitydomain.ca$count.secureagentport"); + $https_admin_port = $::config->get("preop.securitydomain.ca$count.secureadminport"); + } + + if (($host eq "") || ($https_ee_port eq "") || ($https_admin_port eq "") || ($https_agent_port eq "")) { + $::symbol{errorString} = "no CA found. CA must be installed prior to RA installation"; + return 0; + } + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); + + $::config->put("preop.cainfo.select", "https://$host:$https_admin_port"); + my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname"); + + my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); + $::config->put("conn.ca1.clientNickname", $subsystemCertNickName); + $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); + $::config->put("conn.ca1.hostagentport", $host . ":" . $https_agent_port); + $::config->put("conn.ca1.hostadminport", $host . ":" . $https_admin_port); + + $::config->commit(); + + # connect to the CA, and retrieve the CA certificate + &PKI::RA::Wizard::debug_log("CAInfoPanel: update connecting to CA and retrieve cert chain"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + my $tmpfile = "/tmp/ca-$$"; + system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); + my $cmd = `cat $tmpfile`; + system("rm $tmpfile"); + my $caCert; + if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) { + $caCert = $1; + &PKI::RA::Wizard::debug_log("CAInfoPanel: ca= $caCert"); + } + if ($caCert eq "") { + &PKI::RA::Wizard::debug_log("CAInfoPanel: update no cert chain found"); + return 0; + } + open(F, ">$instanceDir/conf/caCertChain2.txt"); + print F $cert_header."\n".$caCert."\n".$cert_footer; + close(F); + + &PKI::RA::Wizard::debug_log("CAInfoPanel: update retrieve cert chain done"); + + #import cert chain + system("p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt"); + my $r = $? >> 8; + my $failed = $? & 127; + if (($r > 0) && ($r < 10) && !$failed) { + my $i = 0; + while ($i ne $r) { + my $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA c2cert$i"`; + $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA c2cert$i" -t "CT,C,C" -i $instanceDir/conf/chain2cert$i.der`; + $i++; + } + } + + return 1; +} + +sub display +{ + my ($q) = @_; + &PKI::RA::Wizard::debug_log("CAInfoPanel: display"); + + $::symbol{urls} = []; +# unshift(@{$::symbol{urls}}, "External CA"); + my $count = 0; + my $first = 1; + my $list = ""; + while (1) { + my $host = $::config->get("preop.securitydomain.ca$count.host"); + if ($host eq "") { + goto DONE; + } + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); + my $item = $name . " - https://" . $host . ":" . $https_ee_port; +# my $item = "https://" . $host . ":" . $https_ee_port; +# unshift(@{$::symbol{urls}}, $item); + $::symbol{urls}[$count++] = $item; + if ($first eq 1) { + $list = $item; + $first = 0; + } else { + $list = $list.",".$item; + } + } +DONE: +# $list = $list.",External CA"; + $::config->put("preop.ca.list", $list); + + $::symbol{urls_size} = $count; + if ($count eq 0) { + $::symbol{errorString} = "no CA found. CA, TKS, and optionally DRM must be installed prior to RA installation"; + return 0; + } + return 1; +} + +sub get_domain_xml +{ + my $host = $1; + my $https_ee_port = $2; + + # get the domain xml + # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML + + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $instanceID = $::config->get("service.instanceID"); + my $instanceDir = $::config->get("service.instanceDir"); + my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; + $db_password =~ s/\n$//g; + + my $sd_host = $::config->get("securitydomain.host"); + my $sd_admin_port = $::config->get("securitydomain.httpsadminport"); + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + return $content; +} + +sub get_secure_admin_port_from_domain_xml +{ + my $content = $1; + my $host = $2; + my $https_ee_port = $3; + + # Retrieve the secure admin port corresponding + # to the selected host and secure ee port. + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $xml = $parser->XMLin( $response->{'DomainInfo'}, + ForceArray => 1 ); + my $https_admin_port = ""; + my $count = 0; + foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { + if( ( $host eq $c->{'Host'}[0] ) && + ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { + $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + } + + $count++; + } + + return $https_admin_port; +} + +sub get_secure_agent_port_from_domain_xml +{ + my $content = $1; + my $host = $2; + my $https_ee_port = $3; + + # Retrieve the secure agent port corresponding + # to the selected host and secure ee port. + my $parser = XML::Simple->new(); + my $response = $parser->XMLin($content); + my $xml = $parser->XMLin( $response->{'DomainInfo'}, + ForceArray => 1 ); + my $https_agent_port = ""; + my $count = 0; + foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { + if( ( $host eq $c->{'Host'}[0] ) && + ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { + $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + } + + $count++; + } + + return $https_agent_port; +} + +1; |